[jboss-cvs] JBossAS SVN: r60779 - in branches/Branch_4_2/server/src: main/org/jboss/web and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Feb 21 17:08:47 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-02-21 17:08:46 -0500 (Wed, 21 Feb 2007)
New Revision: 60779
Modified:
branches/Branch_4_2/server/src/main/org/jboss/metadata/WebMetaData.java
branches/Branch_4_2/server/src/main/org/jboss/web/WebPermissionMapping.java
branches/Branch_4_2/server/src/resources/dtd/jboss-web_4_2.dtd
Log:
JBAS-1824:Generate WebResourcePermission(uri,null) for <role-name>*</role-name>
Modified: branches/Branch_4_2/server/src/main/org/jboss/metadata/WebMetaData.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/metadata/WebMetaData.java 2007-02-21 21:59:07 UTC (rev 60778)
+++ branches/Branch_4_2/server/src/main/org/jboss/metadata/WebMetaData.java 2007-02-21 22:08:46 UTC (rev 60779)
@@ -101,6 +101,8 @@
private ArrayList virtualHosts = new ArrayList();
/** The jboss-web.xml JNDI name of the security domain implementation */
private String securityDomain;
+ /** JBAS-1824: Flag whether WebResourcePermission(url,null) needed for rolename '*' */
+ private boolean jaccRoleNameStar = false;
/** The jboss-web.xml securityDomain flushOnSessionInvalidation attribute */
private boolean flushOnSessionInvalidation;
@@ -391,8 +393,28 @@
{
this.securityDomain = securityDomain;
}
+
+ /**
+ * JBAS-1824: Specify whether a WebResourcePermission(url,null)
+ * needs to be generated by the container
+ * @return
+ */
+ public boolean isJaccRoleNameStar()
+ {
+ return jaccRoleNameStar;
+ }
- /** The flag indicating whether the associated security domain cache
+ /**
+ * JBAS-1824: Specify whether a WebResourcePermission(url,null)
+ * needs to be generated by the container
+ * @return
+ */
+ public void setJaccRoleNameStar(boolean jaccRoleNameStar)
+ {
+ this.jaccRoleNameStar = jaccRoleNameStar;
+ }
+
+/** The flag indicating whether the associated security domain cache
* should be flushed when the session is invalidated.
* @return true if the flush should occur, false otherwise.
*/
@@ -973,6 +995,13 @@
Boolean flag = Boolean.valueOf(securityDomainElement.getAttribute("flushOnSessionInvalidation"));
flushOnSessionInvalidation = flag.booleanValue();
}
+
+ //Parse the jboss-web/jacc-star-role-allow element
+ Element jaccStarRoleElement = getOptionalChild(jbossWeb, "jacc-star-role-allow");
+ if (jaccStarRoleElement != null)
+ {
+ jaccRoleNameStar = "true".equalsIgnoreCase(getElementContent(jaccStarRoleElement));
+ }
// Parse the jboss-web/virtual-host elements
for (Iterator virtualHostElements = getChildrenByTagName(jbossWeb, "virtual-host");
Modified: branches/Branch_4_2/server/src/main/org/jboss/web/WebPermissionMapping.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/web/WebPermissionMapping.java 2007-02-21 21:59:07 UTC (rev 60778)
+++ branches/Branch_4_2/server/src/main/org/jboss/web/WebPermissionMapping.java 2007-02-21 22:08:46 UTC (rev 60779)
@@ -59,7 +59,7 @@
private static final int DEFAULT = 3;
/** An prefix pattern "/prefix/*" */
private static final int EXACT = 4;
-
+
/**
* Apply the JACC rules for creating permissions from the web.xml
* security-constraints.
@@ -121,13 +121,19 @@
String role = (String) roles.next();
if( role.equals("*") )
{
- // The wildcard ref maps to all declared security-role names
- Iterator allRoles = metaData.getSecurityRoleNames().iterator();
- while( allRoles.hasNext() )
- {
- role = (String) allRoles.next();
- mappedRoles.add(role);
- }
+ //JBAS-1824: Allow "*" to provide configurable authorization bypass
+ if(metaData.isJaccRoleNameStar())
+ mappedRoles.add("*");
+ else
+ {
+ //The wildcard ref maps to all declared security-role names
+ Iterator allRoles = metaData.getSecurityRoleNames().iterator();
+ while( allRoles.hasNext() )
+ {
+ role = (String) allRoles.next();
+ mappedRoles.add(role);
+ }
+ }
}
else
{
@@ -172,10 +178,19 @@
{
Map.Entry roleMethods = (Map.Entry) roles.next();
String role = (String) roleMethods.getKey();
- HashSet methods = (HashSet) roleMethods.getValue();
- httpMethods = new String[methods.size()];
- methods.toArray(httpMethods);
- WebResourcePermission wrp = new WebResourcePermission(qurl, httpMethods);
+ WebResourcePermission wrp = null;
+ if("*".equals(role))
+ {
+ //JBAS-1824: <role-name>*</role-name>
+ wrp = new WebResourcePermission(qurl, (String)null);
+ }
+ else
+ {
+ HashSet methods = (HashSet) roleMethods.getValue();
+ httpMethods = new String[methods.size()];
+ methods.toArray(httpMethods);
+ wrp = new WebResourcePermission(qurl, httpMethods);
+ }
pc.addToRole(role, wrp);
}
Modified: branches/Branch_4_2/server/src/resources/dtd/jboss-web_4_2.dtd
===================================================================
--- branches/Branch_4_2/server/src/resources/dtd/jboss-web_4_2.dtd 2007-02-21 21:59:07 UTC (rev 60778)
+++ branches/Branch_4_2/server/src/resources/dtd/jboss-web_4_2.dtd 2007-02-21 22:08:46 UTC (rev 60779)
@@ -17,11 +17,11 @@
<!-- The jboss-web element is the root element.
-->
-<!ELEMENT jboss-web (class-loading?, security-domain?, context-root?,
+<!ELEMENT jboss-web (class-loading?, security-domain?, jacc-star-role-allow?, context-root?,
virtual-host*, use-session-cookies?, replication-config?, resource-env-ref*,
resource-ref*, security-role*, ejb-ref*, ejb-local-ref*,
message-destination-ref*, message-destination*,
- webservice-description*, service-ref*, depends*, servlet*, authenticators*)>
+ webservice-description*, service-ref*, depends*, servlet*)>
<!-- The class-loading element allows one to override the default class
loading behavior of the web container. You can specify the
@@ -85,6 +85,13 @@
-->
<!ELEMENT context-root (#PCDATA)>
+<!-- (JBAS-1824) The jacc-star-role-allow element specifies whether the
+jacc permission generating agent in the web layer needs to generate a
+WebResourcePermission(url,null) permission such that the jacc provider can
+make a decision as to bypass authorization or not.
+-->
+<!ELEMENT jacc-star-role-allow (#PCDATA)>
+
<!-- The security-domain element allows one to specify a module wide
security manager domain. It specifies the JNDI name of the security
manager that implements the org.jboss.security.AuthenticationManager and
@@ -420,34 +427,3 @@
Used in: servlet
-->
<!ELEMENT run-as-principal ( #PCDATA )>
-
-<!--
- Customize the tomcat authenticators at the context or web-app level.
- These are keyed in by http-auth method specified in login-config in web.xml
-
- <authenticators>
- <authenticator>
- <key>BASIC</key>
- <value>org.apache.catalina.authenticator.BasicAuthenticator</value>
- </authenticator>
- <authenticator>
- <key>CLIENT-CERT</key>
- <value>org.apache.catalina.authenticator.SSLAuthenticator</value>
- </authenticator>
- <authenticator>
- <key>DIGEST</key>
- <value>org.apache.catalina.authenticator.DigestAuthenticator</value>
- </authenticator>
- <authenticator>
- <key>FORM</key>
- <value>org.apache.catalina.authenticator.FormAuthenticator</value>
- </authenticator>
- <authenticator>
- <key>NONE</key>
- <value>org.apache.catalina.authenticator.NonLoginAuthenticator</value>
- </authenticator>
- </authenticators>
--->
-
-<!ELEMENT authenticators (authenticator+)>
-<!ELEMENT authenticator ( key, value )>
More information about the jboss-cvs-commits
mailing list